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Michele DaH'Arno/'B Elsa Passaro/ Rodrigo Gallego,^ Marcin Pawlowski,^ and Antonio Aci: 



,1,3 



(N 

O 
(N 
» 

o 

> ■ 

fl- 
ed- 

=3: 



(N 

d 



^ ICFO-Institut de Ciencies Fotoniques, Mediterranean Technology Park, E-08860 Castelldefels (Barcelona), Spain 
^Department of Mathematics, University of Bristol, Bristol BS8 ITW, United Kingdom 
^ ICREA-Institucio Catalana de Recerca i Estudis Avangats, Lluis Companys 23, E-08010 Barcelona, Spam 

(Dated: October 5, 2012) 

Recently several semi-device independent quantum protocols were proposed - e.g. for secure key 
distribution, random access coding, and randomness generation - in a scenario where no assumption 
on the internal working of the devices used in the protocol is made, except their dimension. These 
protocols, while being often more practical than fuUy-device independent ones, are also clearly more 
secure than their device dependent counterparts. Nevertheless, we discuss conditions under which 
detection inefBciencies can be exploited to fake the result of the protocol - and how to prevent it - 
in terms of the detection probability and of the worst case success probability of a random access 
code. 



I. INTRODUCTION 

In the last decades, the distinguishing properties of 
quantum theory have been exploited to accomplish tasks 
vifhich are unfeasible in classical theory [l| . For example, 
protocols were proposed for secure quantum key distri- 
bution (QKD) [1, Q, quantum teleportation and 
quantum randomness generation (QRG) With no 

exceptions, the first protocols to be proposed were de- 
vice dependent, namely their success critically relies on 
the agreement between the description of the setup and 
its implementation. Since this hypothesis is never exactly 
fulfilled, in experimental implementations a plethora of 
related problems arises 

Subsequently fully-device independent protocols were 
proposed [i,[iS[iil, in a scenario where the devices are 
completely uncharacterized and the success only depends 
on the statistics between inputs and outputs. These pro- 
tocols, while extremely robust due to the weakness of 
the hypothesis on which they rely, are often unfeasible 
from the experimental viewpoint. For example, known 
device independent QKD protocols are entanglement- 
based, while all experimental realizations of QKD im- 
plement prepare and measure schemes. 

Recently, semi-device independent quantum protocols 
were proposed, where only the dimension of the ex- 
changed system is assumed while the devices are un- 
characterized. These protocols represent an intermedi- 
ate solution between device-dependent and fully device- 
independent protocols. For example, at the price of 
upper bounding the dimension of the system, secure 
QKD is possible 12| in a measure and prepare scheme, 
and semi-device independent protocols for QRG are also 
known [Tsj . 

Despite their security, real world implementations of 
semi-device independent protocols are subject to detec- 
tion loophole (DL) attacks 14] - as happens for any fully- 
device independent protocol. In this attack, a malicious 
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provider exploits non-ideal detection efficiencies to skew 
the statistics of the experiment and ultimately faking its 
result. Losses may affect not only the measuring devices, 
but also the preparing ones. For example, if the prepara- 
tions are produced with heralded photons, an entangled 
pair is prepared and one of its photons measured by a 
lossy device to collapse the other to the desired state. 

The aim of this work is to provide conditions under 
which DL attack is harmless in faking the result of a semi- 
device independent protocol. In Section |lT] we introduce 
DL attacks and present our main results. In Section [II Al 
we derive conditions under which a DL attack is harm- 
less in terms of the detection probability, in the general 
framework where only the statistics of the protocol is 
taken into account. In Section FlI BI we regard semi-device 
independent protocols as random access codes, and show 
that protocols that only depend on a particular function 
of the statistics - namely, the worst case success proba- 
bility - are immune to DL attack. Finally we summarize 
our results and delineate some further developments in 
Section Iml 



II. DETECTION LOOPHOLE ATTACK 

In the setup of any semi-device independent protocol 
two distant parties, say Alice and Bob, are involved. In 
this work we consider protocols in which each party has 
access to uncorrelated random number generators p^ . 
For each round, we denote by j (i) the random variable 
generated by Alice's (Bob's) generator and with qj [pi) its 
probability distribution. These probability distributions 
are independent. Random variables j and i represent 
the strategy that Alice and Bob apply, respectively. This 
scheme is depicted in Figure [TJ 

In each run, they get classical inputs a and h respec- 
tively. Alice sends a message A - which may be classical 
or quantum - to Bob, who then returns a classical value 
B. Finally they collect the statistics of several runs (the 
asymptotic case is always considered) , obtaining the con- 
ditional probability distribution P(B|a, 6) of outcome B 
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clearly be achieved without resorting to it, so Eq. ([2]) 
can be simplified as 
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FIG. 1. (Color online) Scheme of a generic semi-device in- 
dependent protocol. Two distant parties Alice and Bob are 
provided a black box each (bold-line boxes in the Figure). 
Alice's and Bob's boxes receive classical input a and 6 respec- 
tively. Each box is allowed to use a classical random generator 
(dashed- line boxes), which outcome - j for Ahce's box and i 
for Bob's - is not accessible to the parties but can influence 
the outcome of the box. Ahce's box sends quantum message 
A to Bob, that finally outputs classical message B. 



given inputs a and 6, namely 

P{B\a,b) :=Y,P^q3P^iB\A,b)Pj{A\a). (1) 

It is important to stress that - as Eq. ([T|) clearly shows - 
access is granted only to the inputs a, b and the output 
B, while no knowledge of the internal behavior of the 
black boxes (including the random variables and of 
the message A is provided. 

In the context of DL attack we assume that for each 
round of the experiment Alice or Bob can claim that their 
"detector did not click" , and in this case this round of the 
experiment is discarded from the statistics. In general, 
Alice's box can decide whether to click after receiving 
her input a and random variable j, while Bob's box after 
receiving his input b, the message A and random variable 
i. Thus, the detection efficiencies, i.e. the probabilities 
that the detector clicks, are denoted with r]j{a) for Al- 
ice and rii(A,b) for Bob, and the conditional probability 
distribution of outcome B given inputs a and b in the 
presence of a DL attack is given by 



PDLiB\a,b) 



Y.^.,,AP^qMA,b)vM)P,{B\A,b)P,[A\a) 



'Et.,AP^<ljVziAb)Vj{a)Pj{A\a) 



(2) 



We use the subfix DL whenever a distribution is obtained 
resorting to DL attack. We are assuming that for every 
input a, b there is a non-zero probability of click, namely 
denominator in Eq. ([2]) is strictly larger than for any a 
and b. 

Notice that whether Alice uses DL is not relevant [13] , 
since any settings she can prepare with DL can also 



PDL{B\a,b) 



j:^^^p,r,M,miB\A,b)PiA\a) 
j:^^^pMA,b)PiA\a) 



(3) 



A. Security based on the detection probability 

The success of semi-device independent quantum pro- 
tocols depends on the statistics they generate. Usually, a 
large enough value of a particular function of such statis- 
tics ensures the success of the protocol. Yet, in general, 
a necessary condition for their success is the ability to 
discriminate whether the source is intrinsically quantum 
or it can be described as a classical distribution, build- 
ing only on the knowledge of the conditional probability 
distribution P{B\a,b). That is, it is necessary to certify 
that the observed correlations cannot be explained clas- 
sically and, therefore, are potentially useful for quantum 
protocols without classical analogue. For this reason, ex- 
ploiting DL attack to convert a classical P{B\a,b) into 
an intrinsically quantum PDL{B\a, b) guarantees a faking 
of the result of the protocol. In this Section we provide 
conditions under which DL attack can by no means re- 
cast a classical P{B\a,b) into an intrinsically quantum 
PDL{B\a, b) thus faking the result of the protocol. 

We say that a conditional probability distribution 
P{B\a,b) of outcome B given inputs a on Alice's side 
and b on Bob's side admits a classical (quantum) d- 
dimensional model if it can be written as 

P{B\a, b)=J2 PiB\A, b)P{A\a), 

A 

where 

Y,PiA\a) = l, ^P(i?|A,6) = l, 

A B 

P{A\a)>OWA,a, P{B\A,b) > OVB, A,b, 

and where A is a classical (quantum) d-dimensional sys- 
tem. 

The probability of click on Bob's side given he received 
message A from Alice and input b is given by 

Q{B^NC\A,b) :=;^p,r,,(A,6), 

i 

where we denoted with NC the no-click event. The fol- 
lowing Proposition shows that whenever Q{Bj^NC\A, b) 
is independent on A, DL attack is harmless. Notice that 
this is the case for example whenever loss can reasonably 
be modeled as affecting the measurement irrespectively of 
the input state, namely the detection efficiencies r]i(A, b) 
are independent on A. 

Proposition 1. // Q{B^NC\A,b) = Q{By^NC\b) 
for any A,b, then if P£iL{B\a,b) does not admit 
a d- dimensional classical (quantum) model then also 
P(B\a, b) does not admit a d-dimensional classical (quan- 
tum) model. 
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Proof. First we show that under the hypothesis 
Q{By^NC\A,b) = Q{By^NC\b), if P{B\a,b) admits 
a d-dimensional classical (quantum) model then also 
PDLiB\a,b) admits a d-dimensional classical (quantum) 
model. Upon introducing hypothesis into Eq. ([3]) one has 



PDL{B\a,b) 
Upon setting 

PDLiB\A, b) 



J:^^^P^mib)P^{B\A,b)P{A\a) 
Q{B^NC\b) 



J:^pMAb)P^{B\A,b) 
Q{B^NC\b) 



one clearly has J2b PDL{B\A,b) = 1 and PDL{B\A,b) > 
for any B,A,b. Then PDL{B\a,b) admits the d- 
dimensional classical (quantum) model 

PDLiB\a,b) =Y,PDLiB\A,b)P{A\a). 



Then, whenever PDL(_B|a, 6) does not admit a d- 
dimensional classical (quantum) model, also P{B\a,b) 
does not. □ 

Since by assumption the devices are uncharacterized 
and the message A sent by Alice to Bob is not directly 
accessible to the parties, it is impossible without intro- 
ducing other assumptions to verify whether the detection 
efhciencies rii{A,b) are indeed independent on A. Next 
Proposition provides conditions under which the hypoth- 
esis of Proposition[T]is verified in terms of the probability 
Q{B^NC\a, b) of click given inputs a on Alice's side and 
b on Bob's side, namely 

Q{B^NC\a,b) := J2pMAb)P{A\a). 



Notice that this probability is accessible to the parties, 
being a function of the inputs a, b which are in turn ac- 
cessible. 

Proposition 2. If Q{B^NC\a,b) Q{B^NC\b) for 
any a,b, then if PoL{B\a,b) does not admit a 2- 
dimensional classical model then also P{B\a,b) does not 
admit a 2-dimensional classical model. 

Proof. By hypothesis, for any input oq, cii on Alice's side 
one has 

Q{B^NC\A, b) [P{A\a=ao) - P(A|a==ai)] = 0, 



where the sum is over A = 0,1. 

Rearranging explicitly the terms in previous Equation 
and using the fact P{A = l\a) = 1 — P{A — 0\a) for any 
a, one obtains that either 

P(A=0|a=ao) = P{A^O\a^ai), 



for any or ag, ai, namely the message A sent by Alice is 
independent on her input a, or 

Q{By^NC\A=0,b) = Q{B^NC\A=l,b), 

for any b, namely the probability of click on Bob's side is 
independent on the message A received from Alice. 

In the former case P{B\a,b) clearly admits a classical 
local model, namely one in which no message is sent from 
Alice to Bob, and the same holds true for PDL{B\a, b) due 
to Eq. dS]). In the latter case the hypothesis of Proposi- 
tion [T] is satisfied, and thus the statement is proven. □ 



B. Security based on the success probability 

In previous Section we discussed conditions under 
which it is impossible to fake a necessary condition for 
the success of any semi-device independent protocol, in 
the general framework where the statistics of the pro- 
tocol is taken into account. In the present Section, we 
devise functions of such statistics that can not be altered 
by a DL attack in the particular framework of (quantum) 
random access codes. Thus, any semi-device independent 
protocol building only on these functions will be immune 
to DL attack. 

A semi-device independent protocol can be viewed as a 
random access code (RAC) or a quantum random access 
code (QRAC) [2l|. In the context of RACs and QRACs, 
the aim of the two distant parties Alice and Bob is to 
maximize the value of some figure of merit which is a 
function of the input/output statistics. RACs (QRACs) 
are usually denoted with the notation n ^ m. Here n is 
the number of input bits of Alice, namely the dimension 
of input a is dim(a) ~ 2", while m is the number of bits 
(qubits) sent by Alice, namely the dimension of message 
A is dim(A) = 2"^. 

In this Section we exploit the formalism of RACs and 
QRACs and consider as a figure of merit the worst case 
success probability to have that B — f{a, b) for a specific 
function /(a, b) G {0, 1}, namely 



:= minP{B=f{a,b)\a,b). 

a.b 



The probability that B — f{a,b) with the DL exploit is 
given by 



PDL{B=f{a,b)\a,b)^ 



^wM,(^,b)P,{B^f{a,b)\A,b) 



J2^,A Wi{A,a,b) 



(4) 



where Wi{A,a,b) — pirii{A,b)P{A\a) and the worst case 
probability that B — f{a, b) is given by 

PSl ■.= minPDL{B=f{a,b)\a,b). 

a.b 

The following Proposition provides conditions under 
which the worst case success probability can not be in- 
creased resorting to DL exploit. When these hypothesis 
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are satisfied, a protocol relying on the worst case success 
probability may not be affected by DL attack. 

Proposition 3. // the worst case success probability 
without resorting to DL attack is P""^=l/2, then the 
worst case probability of success resorting to DL attack 
IS 

Proof. The proof proceeds by absurd assuming P""^ = 
1/2 and P^£ > 1/2. 

Equation ^ is the weighted sum of the num- 
bers Pi{B — f{a,b)\A,b) with weights Wi{A,a,b) — 
Pir]i{A,b)P{A\a) and therefore is upper bounded by 

PoUB^fia, b)\a, b) < mei^{P,{B=f{a, b)\A, 6)}, 

A,i 



and one has 



P^l < mmmax{P,{B=f{a,b)\A,b)}. 

a,b A,i 



Since we are assuming P|^£ > 1/2 there exists a strat- 
egy io of Bob and a message Aq of Alice such that for all 
a, b one has Pig{B = f{a, b)\Ao, b) > 1/2. Then Bob can 
exploit a new strategy where he applies strategy io when- 
ever he gets Aq and returns a random number otherwise, 
for which the probability P{B=f{a, b)\a, b) of B—f{a, b) 
given inputs a and b is given by 



P{B^f{a,b)\a,b) 



P,„{B^f{a,b)\Ao,b) 



1 



P(Ao\a) 



This new strategy does not resort to DL and since 
Pif,{B ~ f{a, b)\Ao,b) > 1/2 it has the worst case success 
probability greater than 

P^-^mm{P{B^f{a,b)\a,b)}>l 

a,b Z 



which contradicts the assumptions. 



□ 



The following Corollary shows that for any n — >■ 1 RAC 
the DL attack is harmless. 

Corollary 1. For any n ^ 1 RAC the worst case success 
probability resorting to DL attack is P^£=l/2. 

Proof. In 22] it was shown that for any rt — > 1 RAC the 
hypothesis of Proposition [3] are fulfilled, namely P^'^ — 
1/2, so the statement follows. □ 

In the case of 2 1 and 3 — > 1 QRACs the worst 
case success probabilities are Q2 ~ ^ {} ~^ ^^'^ 
Qs = i^l-l--^^ correspondingly |21j]. If the detec- 
tors are inefficient and Bob's device randomly chooses 
the outcome when its detector did not click then these 
probabfiities become 77Q2 + — v)^ ^nd rjQ^ -I- (1 — 77) i 
which for all efficiencies > are better than the clas- 
sical success probability. Notice however that this is as 
far as QRACs can go because for all n > 3 one has that 



n — > 1 QRACs have worst case success probability equal 
to i i23lj. 

One may ask whether it is possible to relax the hy- 
pothesis of Proposition[3] We provide here an example of 
RAC with worst case success probability larger than 1/2, 
and show that this probability can be increased using DL 
attack. Consider the 3 log 6 RAC. Alice is given three 
independent bits oq, ai, 02, namely a = ao i?) oi ® ai, and 
she can send to Bob a 6-dimensional message or, equiva- 
lently, one bit Aq and one trit Ai, namely A = Aq ^ Ai. 
Bob's input is the trit & = 0, 1, 2 and the function to be 
computed is /(a, b) = ajj. 

Here we show that the worst case success probability 
P"«= without resorting to DL of 3 -J> log 6 RAC is P"^" < 
0.981, while there exists a DL attack such that the worst 
case success probability is P^£ = 1. 

First, we prove that for the 3 log 6 RAC one has 
pwc ^ 0.981. Information Causality ^24] provides a 
bound on average case quantum success probability of 
n m QRAC. Also, an explicit upper bound for the 
worst case quantum success probability - which is clearly 
at least as large as the classical one P""^ - was derived 
in 25] in the context of quantum finite automata, namely 

(1 - /i(P"'"))7i < m, 

where h{.) is the Shannon binary entropy function. Set- 
ting 71 3 and m — log 6 we get P™'^ < 0.981. 
2 Now we provide a protocol using DL which achieves 
-the worst case success probability P^£ = 1. The idea is 
to use part of the communicated message to distribute 
randomness. Alice can choose the trit Ai at random and 
encode Aq = oa^, in other words she sends one of her 
bits randomly to Bob but also sends him information 
regarding which bit it is. If 6 = Ai then Bob returns 
B = Aq which is equal to a^. If 6 7^ Ai his detector does 
not click. The detection efficiency of Bob's device with 
this protocol is given by r]i{A,b) = Sb.Ai (according to 
Proposition [U DL attack would be harmless if rii{A, b) is 
independent on A) and the worst case success probability 
is given by P^£ ~ 1. 



III. CONCLUSION 

In this work we addressed the problem of how non-ideal 
detection efficiencies can be exploited to fake the result 
of semi-device independent quantum protocols through 
DL attacks. We discussed conditions under which DL 
attacks are harmless in terms of the detection probability 
and of the worst case success probability of a RAC. Our 
main results can be used as a guideline to devise quantum 
protocols resistant to DL attacks, being thus of relevance 
for applications such as QKD and QRG. 

Some of the presented results - namely Proposition [2] 
and Corollary [1] - hold in the hypothesis that the mes- 
sage A sent by Alice is 2-dimensional and classical. We 
showed through the example 3 — log 6 RAC that these 
assumptions can not be relaxed trivially. Thus remains 
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an open problem how to devise more general conditions 
under which DL attack is harmless. 
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